Introduction: A cybersecurity alert has been raised as a group of hackers, believed to be aligned with Chinese interests, have been observed exploiting vulnerabilities in Roundcube webmail software. This campaign specifically targets physics and engineering departments at universities in the United States and Canada.
The attackers are taking advantage of previously patched critical security weaknesses in the open-source email platform. Notably, vulnerabilities like CVE-2024-42009, which holds a CVSS score of 9.3, are being used to steal credentials and deploy tools such as a web shell for ongoing access or a known tool called VShell.
Targeted Institutions and Methods
The threat group, currently tracked by Proofpoint under the code name UNK_MassTraction, was first identified in May 2026. Their focus is on administrative and academic staff, particularly within departments involved with national security or fields like astrophysics and particle physics.
Proofpoint reports show that the attackers utilized compromised email senders and exploited domains vulnerable to spoofing due to weak DMARC policies. This strategy not only broadened their target range but made tracing the attacks more challenging.
Exploitation Techniques and Tools
The attackers employed cross-site scripting (XSS) exploits that only necessitated the recipient to open the email in Roundcube, granting access to the mail server. It appears that the attackers conducted thorough reconnaissance to identify departments using vulnerable Roundcube versions before launching phishing emails that triggered exploits for CVE-2024-42009.
After exploiting these vulnerabilities, a payload named IceCube is deployed. This malware is engineered to extract credential information, including two-factor authentication details and cookies. It gathers additional data about the user’s browser environment, which is then sent to an external server.
Advanced Malware Deployment
The IceCube malware further exploits the session’s CSRF token to activate a second vulnerability, CVE-2025-49113, which allows remote code execution in Roundcube. This process aims to establish a foothold in the mail server, executing tools like VShell or a web shell known as SquareShell.
Should the web shell installation fail, the attackers have a backup method involving a shell script that uses the SNOWLIGHT ELF loader. This script is suspected to be shared among Chinese hacking groups, similar to other tools like ShadowPad.
IceCube also employs ‘deferred triggers’ to maintain the infection chain’s persistence. These triggers monitor user actions like closing the browser or logging out, and if detected, they reinitiate the exploit process, preserving the attack’s continuity.
Conclusion: This campaign is the first instance of Chinese hackers targeting Roundcube vulnerabilities, a tactic previously seen with Russian state-sponsored actors. The sophisticated use of n-day vulnerabilities and mature tools underscores the importance of securing email servers alongside other critical network infrastructure to prevent such intrusions.
